The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/en/) is endeavoring to become a comprehensive database where vulnerability countermeasure information about software used in Japan is aggregated for IT users to easily access the information. JVN iPedia collects and/or translates the vulnerability countermeasure information published by 1) domestic software developers, 2) JVN (*1), a vulnerability information portal site run by IPA and JPCERT/CC, and 3) NVD (*2), a vulnerability information database run by NIST (*3). JVN iPedia has continued to make the vulnerability information available to the public since April 25, 2007.

1-1. Vulnerabilities Registered in 2015 3Q

~ Total of 56,475 vulnerability information stored in JVN iPedia ~

The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 3rd quarter of 2015 (July 1 to September 30, 2015) is shown in the table below. As of the end of September 2015, the total number of vulnerabilities stored in JVN iPedia is 56,475 (See Table 1-1, Figure 1-1).

As for the English version, the total of 1,281 vulnerabilities is available as shown in the lower half of the table.

Table 1-1. Registered Vulnerabilities in 3rd Quarter of 2015

Information Source

Registered Cases

Cumulative Cases

Japanese Version

Domestic Product Developers

0 cases

168 cases

JVN

326 cases

5,722 cases

NVD

1,435 cases

50,585 cases

Total

1,761 cases

56,475 cases

English Version

Domestic Product Developers

0 cases

168 cases

JVN

53 cases

1,113 cases

Total

53 cases

1,281 cases

1-2. Hot Topic #1: Adobe Flash Player Vulnerabilities

~ 95 Adobe Flash Player vulnerabilities reported during 3Q, exceeding the previous year’s total, 76, in just three months ~

Figure 1-2-1 shows the number of Adobe Flash Player vulnerabilities registered to JVN iPedia in the last two years, from October 2013 to September 2015, by quarter. The number of Adobe Flash Player vulnerabilities disclosed through JVN iPedia during this quarter is 95, which means it exceeded the previous year’s total, 76, in just three months. Looking at the total number by year, it already reaches 190 so far this year, which is two and half times more than the previous year.

In early July of 2015, several Adobe Flash Player vulnerabilities, including zero days, were disclosed as a result of the data breach of an Italian firm that sells spy software to the governments all over the world (*4). After their disclosure, targeted attacks exploiting those vulnerabilities were observed.

Figure 1-2-2 shows the severity of Adobe Flash Player vulnerabilities registered this quarter (left) and that of all vulnerabilities registered to JVN iPedia (right) for comparison. Among the 3rd quarter’s 95 vulnerabilities, 89.5 percent were the severest “level III (High)”. Comparing to the rate of the “level III (High)” among all vulnerabilities, 40.1 percent, it is more than double.

When a web page is accessed, if Adobe Flash Player contents are contained in the page, usually they are automatically executed. For that, Internet users are likely watching web contents like videos without realizing they are using Adobe Flash Player. Because they are unaware of it, they do not apply security fixes for Adobe Flash Players, surf the Internet with a vulnerable Adobe Flash Player, and their device gets infected with malware. This could be one of the reasons that Adobe Flash Player vulnerabilities are hacker favorites.

Adobe Flash Player users need to keep it up to date, and If they do not use it, they had better disable it in the browser settings or uninstall it.

1-3. Hot Topic #2: Vehicle Software Vulnerabilities

~ Vehicle software vulnerability was disclosed with CVE and registered to JVN iPedia for the first time ~

A news story of vehicle software vulnerability that allowed an attacker to remotely hijack a vehicle made headlines in July 2015 (*5). The security researchers demonstrated that by exploiting vulnerability in the Uconnect software (*6) loaded on certain vehicles of Fiat Chrysler Automobiles (FCA), they could take control over the vehicles - for example, manipulate the steering wheel and shut down the engine. To respond to this vulnerability, FCA was pushed to issue a missive recall.

Like other NVD-based vulnerabilities, this vulnerability was translated into Japanese and published on JVN iPedia (*7), which made it the first vehicle software vulnerability registered to JVN iPedia.

Since the recent trend promotes embedding computer software into various devices to achieve a variety of services, it is anticipated that vulnerability not only in vehicles but also in a wide variety of devices would be reported and registered to JVN iPedia.

Users and system administrators of those devices should do vulnerability management – for example, keep eyes on vulnerability disclosure, and apply fixed and updates as soon as possible when they are released.

2. Details on JVN iPedia Registered Data

2-1. Type of Vulnerabilities Reported

Figure 2-1 shows the number of vulnerabilities newly added to JVN iPedia during the 3rd quarter of 2015, sorted by the CWE vulnerability types.

The type of the vulnerabilities reported most in the 3rd quarter is CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) with 349 cases, followed by CWE-79 (Cross-Site Scripting) with 165 cases, CWE-20 (Improper Input Validation) with 159 cases and CWE-200 (Information Exposure) with 152 cases. The most reported vulnerability title often goes to CWE-79, and it is quite rare that CWE-119 seizes the top spot as in this quarter. CWE-119 may allow an attacker to access important data and modify them by executing malicious code on an affected server or PC. As for this quarter’s 349 cases registered as CWE-119, vulnerabilities in browsers (e.g. Microsoft Internet Explorer, Apple Safari and Mozilla Firefox) and operating systems (e.g. Microsoft’s and Apple’s) account for more than 50 percent.

Software developers need to make sure to implement necessary security measures from the planning and design phase of software development to mitigate vulnerability. IPA provides tools and guidelines, such as “How to Secure Your Website” (*8) for website developers and operators to create a secure website, “AppGoat” (*9) to help learn and understand vulnerability through practice and exercise, and “AnCoLe” (*10) for Android application developers to learn about and scan vulnerabilities in their applications.

2-2. Severity of Vulnerabilities Reported

Figure 2-2 shows the annual change in the severity of vulnerabilities registered to JVN iPedia based on the date they were first published.

As of the end of September 2015, 40.1 percent of all vulnerabilities registered since the launch of JVN iPedia are level III (“High”, CVSS Base Score = 7.0-10.0), 52.7 percent are level ll (“Medium”, CVSS Base Score = 4.0-6.9), and 7.2 percent are level I (“Low”, CVSS Base Score = 0.0-3.9).

This means the severity of 93 percent of the known vulnerabilities is level II or higher, which are critical enough to cause a service outage. To avoid threats imposed by the known vulnerabilities, it is essential for users to update software to the latest version or apply security patches as soon as possible when they become available.

2-3. Type of Software Reported for Having Vulnerability

Figure 2-3 shows the annual change in the type of software reported with vulnerability. Application vulnerabilities have been published most and account for 84.9 percent of the total.

Since 2007, vulnerability in industrial control systems (ICS) used in critical infrastructure has started to be added to JVN iPedia. As of 2015/3Q, the total of 708 ICS vulnerabilities has been registered. (Figure 2-4)

2-4. Product Reported

Table 2-4 lists the top 20 software whose vulnerabilities were most registered during the 3rd quarter (July to September) of 2015. As shown below, the 1st and 3rd are Apple operating systems, and the 11th and from 13th to 18th are Microsoft operating systems, making operating systems account for about 50 percent. Moreover, the 2nd, 4th, 9th, 10th and 12th are browsers like Microsoft Internet Explorer and Google Chrome, making operating systems and browsers account for 70 percent of the total.

JVN iPedia stores vulnerability information on a variety of software, including the top 20 software. IPA hopes developers and users will make use of JVN iPedia to efficiently check vulnerability information about the software they are using and take action timely(*11).

3. Most Accessed Vulnerability Countermeasure Information

Table 3-1 lists the top 20 most accessed vulnerability information in JVN iPedia during the 3rd quarter of 2015 (July – September). The top is vulnerability in PHP, a script language widely used in Japan. The 2nd and 3rd are vulnerability in Yodobashi. Many people viewed them likely because it is an official smartphone application of a major consumer electronics retailer in Japan.

Focusing on the vulnerability type, the 10th, 12th, 14th and 19th are cross-site scripting, the top and 4th are OS command injection, and the 11th and 18th are directory traversal. Cross-site scripting may allow an attacker to steal important data and/or modify them by executing malicious code on the user’s browser.

Footnotes

(*1) Japan Vulnerability Notes: A portal for vulnerability countermeasure information including information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.https://jvn.jp/en/